Is my 1password login password the weakest link in the overall security chain?
I'm wondering how to increase the security of my use of 1Password.
I store my '1Password.agilekeychain' file on Dropbox, and my understanding is that it is heavily encrypted while it is stored there.
If dropbox were to be hacked, and that file stolen, the thief could:
1) try to decrypt the file, which would be prohibitively hard
2) they could install 1Password on their system, and try to restore my 1Password.agilekeychain' file. Correct? And to do that they would need to enter my password. Brute-forcing my password via this scenario is probably easier than option 1.
So I'm presuming that I should have a very long/secure password for 1Password since this is the weakest link?
The only issue with that is that I have to re-enter that password many times a day on the mac, which makes it a pain to have a long password.
Any serious advantages to using an iCloud sync over a DropBox sync? I'm a bit concerned about not being able to actually see/copy the iCloud password backup file.
1Password Version: 6
Extension Version: Not Provided
OS Version: OS 11
Sync Type: DropBox
Referrer: forum-search:security of password file
Comments
-
@jeffaxup: You're right that your Master Password is going to be the easiest way for someone to get into your data. It's best to use a long, strong, unique Master Password so that it will not be easy to guess. There are three other things that can help though.
First, 1Password uses PBKDF2 to protect against brute force attacks by essentially making each guess a difficult math problem. This slows down the rate at which guesses can be made considerably.
Second, you can use the newer OPVault format which increases the computational same burden further. This is similar to the data format used when syncing with iCloud.
Third, and separate from the other two, switching to a 1Password.com membership gets you the above benefits along with the additional security of the (128-bit, randomly generated) Secret Key, which is also used to encrypt the data along with your Master Password. We're still using PBKDF2 and similar data structures, but this makes it so that an attacker who has the encrypted data cannot perform a brute force attack against your Master Password, because the Secret Key is also needed.
I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
I wonder if it's possible to integrate a physical security key like the YubiKey NEO. That way you also need a physical device to unlock your account. Most people buy two and keep one locked away somewhere as a backup.
Also what about the suggestion of using a long sentence as a password using numbers,dashes, or periods instead of spaces?
0 -
I wonder if it's possible to integrate a physical security key like the YubiKey NEO. That way you also need a physical device to unlock your account. Most people buy two and keep one locked away somewhere as a backup.
@jones411: Definitely an interesting area, but as you point out it runs the risk of locking you out — and potentially by no fault of your own: if it stops functioning, it doesn't matter if you never lose it. Something to consider though as technology matures.
Also what about the suggestion of using a long sentence as a password using numbers,dashes, or periods instead of spaces?
That sounds like a non-random password, which will be easier to guess compared to a random one. It's a good idea though at it's core, since it is easier to remember and type words than combinations of letters, numbers, and symbols. I'd suggest checking out 1Password's "words" option in the password generator:
Using this to get a password of 4 random words will be much harder to guess than a sentence that you choose yourself. Using special characters as separators only really helps if they are random, which also makes them harder to remember and type. So I'd say while that's a judgement call on your part too, I'd prefer to use a longer word-based password instead, since each randomly-chosen word adds a tremendous amount of entropy. Cheers! :)
0
